-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OS X 10.10.2 Challange Response kind of working...not #51
Comments
This looks like something else in your pam stack (or OS X always requiring at least password for sudo?) denies the authentication. What is the full contents of the sudo pam.d file? |
Hi Klas, my sudo pam.d file looks like this:
I am not aware that there is a setting that will cause this. Here is what I have in the Screensaver pam.d
The unlocking of the Screensaver also fails. Maybe I misconfigured something within this files, but maybe the usage of FileVault hdd encryption cause this. Advance Thanks |
You could try putting pam_yubico before the other auth stuff so it executes first. I don't know anything about filevault and how that ties in with pam though.. /klas |
I switched the orders in the files, but the result remains the same. If I activate the Screensaver and plugin the Yubikey, the screen still stays locked. Bye |
SO, a small Update. After changing the order in the sudo pam.d I just need to plugin the key, to make sudo work :) Anyway, it still do not work for the screensaver. :( |
That is what I get, within the system console when I remove the Yubikey, start the Screensaver and than plug in the Yubikey back into the System:
|
So, I checked for that Error and found this http://forum.yubico.com/viewtopic.php?f=26&t=1574 Afterwards I Installed the Yubikey NEO Manager and enabled U2F nearly giving me a heart attack, because I thought I just erased everything from my key. So, now the following is happening. The gibberish that I send up on the top, while I try to run a sudo command is gone. If the Yubikey is plugged, I can run sudo commands when the key is just plugged in. Now, the messages in the console log are also gone, when I try to unlock the Screensaver with the Yubikey. But it still will not unlock the screensaver. Anyone Ideas where I could dig next? ATdHvAaNnKcSe |
Run a reboot, sudo still works, screensaver still get:
|
Do I maybe need to install https://smartcardservices.macosforge.org driver to make this work? |
I think you're simply getting stuck in the fact that the screensaver on OS X is not completely integrated with pam, and disabling password auth for it might be impossible / managed from something completely different. |
Okay, it seems so. :( Thank you anyway :) At least, I have GPG, sudo and some other Stuff running with my Yubikey :) |
I have it working just fine on Mac OS X with the screensaver, sudo and authorization...Is this still an issue, megatraveler? |
Hi Jonny, yes, I just gave up on some point. I can use the key for switching to sudo but I still can not unlock the screen saver with my yubikey. I assume that is maybe because I use FileVault. If you have an idea I would be glad to hear :) |
In my screensaver pam.d auth file (/etc/pam.d/screensaver) - : screensaver: auth accountauth optional pam_krb5.so use_first_pass use_kcminit Please note that the authgroup=yubikey is specific to my implementation and the fork in my repository. I've submitted a request to merge it. None the less, if you remove the authgroup=yubikey, it should work fine for you provided you have done the following: Open the YubiKey personalization tool and choose Challenge-Response. Select the MAC-SHA1 option. Then, select Configuration Slot 2. Make sure the "Require user input (button press)" option under the HMAC-SHA1 parameters is UNCHECKED, and ensure Variable Input is selected. Click Generate, then Write Configurations. After that, do the following: mkdir -m0700 -p ~/.yubico Make sure your yubikey is plugged in, and enter the following command: ykpamcfg -2 It should tell you that it successfully created a file in your home directory under .yubikey (challenge-<serial #>). Then, modify your /etc/pam.d/screensaver as seen above, minus the authgroup= (unless you use my fork). With the current master repo for the PAM module, doing so would require EVERY user have a yubikey to unlock the screen saver. My fork adds the authgroup= which will allow you to specify a group name of users required to have a yubikey. If the user is not in the specified group, it will skip over checking for a key... If you'd prefer that functionality, you won't find it in the current release (yet). I submitted a pull request, though I'm having issues with my editor wanting to automatically correct the indentation of the code without notifying me as I close it... lol None the less, give this a whirl and let me know if it works out for you. Please keep in mind that this works also for the authorization module (for login). It can work with su and sudo, but you have to ensure you enable tty_tickets - which is disabled on Mac OS X by default (which I find stupid, personally). |
Also, as a side note? Please ensure that when you do the ykpamcfg -2 , you are doing it as the user you wish to bind the key to. If you're sudo'd to root? It will put it in the root home directory, thus, you won't be able to unlock your screensaver because the user running the screensaver won't have a challenge file generated. I did this initially... Luckily, I tested it with the screensaver first, and not authorization. :) |
Hi,
I implemented my new Yubikey into my OS X PAM like described within https://developers.yubico.com/yubico-pam/MacOS_X_Challenge-Response.html
I entered the
line into /etc/pam.d/sudo
That is what I get as Output when I try to sudo:
So, it give me a success at the end, but OS X seems to be really unimpressed by this and still ask me for the password -.-
Where do I go wrong? :/
I already searched for one week, but of course I do also not want to brick my box, by removing password auth from the /etc/pam.d/sudo
It also fails when I try to do the same in the file /etc/pam.d/screensaver :(
Advance Thanks
The text was updated successfully, but these errors were encountered: